Lightnews — Scholar-powered news

Joel Drapper 🇬🇧🇺🇦

@joel.drapper.me

2K followers 970 following 2.4K posts

I’m a Ruby/TypeScript/CSS engineer at @plane.com and based in the UK. https://joel.drapper.me I’m building a Ruby/SQLite serverlesslessness framework. I also maintain @phlex.fun. Signal: joeldrapper.01

joel.drapper.me

Posts Media Videos Starter Packs

Pinned

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 7d

My team at Plane is hiring experienced full stack engineers. We use Rails, Postgres, Phlex, Vite, TypeScript and Svelte. I don’t have a full job description yet, but drop me a DM if you want to know more.

1 13 32

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 11h

You already have everything

Follow means “I’m looking”
Repost means “I endorse”
Like means “this meant something to me: made me sad, angry, happy”
Comment means whatever the comments says
Subtweet means “this person made me angry”
Repost with comment means “everyone! read what I said about this”

1 1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 18h

It belonged to the maintainers.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 18h

When HSBT added Marty, that broke his contract as a maintainer. There’s a specific policy for adding new maintainers. This was a hostile takeover.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 18h

RubyGems was independent and had its own governance. See files here github.com/rubygems/rub...

rubygems/doc at master · rubygems/rubygems

Library packaging and distribution for Ruby. Contribute to rubygems/rubygems development by creating an account on GitHub.

github.com

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 18h

Ruby together never owned the RubyGems open source projects. It only contributed to them. It also contributed to Ruby API and Ruby Toolbox.

In theory, it could have contributed towards Rails or RSpec or the Ruby language. In no case would contributing to an existing OSS project confer ownership.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 18h

It’s simple. It’s the same way that they own the service but don’t own Rails or Phlex or Ruby or Linux.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 21h

Though all that code would also be in the AST.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 21h

I guess you’d also have to see if any blocks captured the local variables?

1 1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 22h

Yeah, you could get around this by having a domain name specified in the Gemfile. But even then, you’re trusting an authority. The certificate authority.

1 2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 22h

But you can’t trust the gemspec if it came from RC.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 23h

I guess you could have some sort of system where you can request a PK form a trusted domain name, e.g. example.com/.well-known/...

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

But where does the user get the public key from?

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

That would leave the environment in a bad state. You would have to be sure that there are no literal or dynamic reads of the local variables. This is something that’s very difficult to check statically in Ruby.

1 2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Since i is a local, that can be compiled to

i = 500_000
puts i

1 1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

It’s a start anyway but I think we’ve got to move past trusting RC to give us the right checksums.

1 2

Reposted by Joel Drapper 🇬🇧🇺🇦

Rocky Mountain Ruby Conference @rmrubyconf.bsky.social · 1d

We're so very excited to have André Arko (@indirect.io) with us today presenting what makes and keeps an app production-ready.

... and I hear he'll be back on the stage for lightning talks too!

3 17

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

I sent my draft for feedback from the podcast hosts so will aim to publish about this time tomorrow or earlier if I hear back from everyone before then.

1 2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Unfortunately my voice isn’t on that one but I am writing a commentary on it now.

1 2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

They already did it with the bundler gem.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Because it’s a mirror of the RubyGems.org registry.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Gem.coop is a start but it’s miles away from solving the problems. For example, it’s still vulnerable to another supply chain attack by Ruby Central.

Resolving things with RC would be much better for the Ruby ecosystem and community health.

2 2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Hiding behind weekly press releases from a PR consultant, that don’t even address the issues raised by the Ruby community is not a good look for Ruby Central.

What we need is honesty, transparency and openness. Talk to us. If you think you did the right thing, you can explain it. We’re listening.

1 6

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

I’ve repeatedly tried to open dialogue with Ruby Central and I know many others have too.

I’m happy to have the conversation live and whomever Ruby Central wants on the call.

My only agenda is the health of the Ruby community and ecosystem.

cc @ufuk.dev @apiguy.dev @rubycentral.org

1 4

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

I’d be very happy to join any podcast or video to talk about the Ruby Central security situation.

I’m not directly involved but I’ve probably spoken to more people that were involved than anyone else at this point.

I’d be especially happy if someone from Ruby Central’s board joined too.

2 3 10

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Defund Ruby Central until they give back what they stole and start being honest with the Ruby community.

Their behaviour is shameful and in direct opposition to their charitable purpose.